Quboid: A Workstation for Safer Web Interaction by Amol M. Bhave S.B., E.E.C.S. and Physics, M.I.T. (2017) Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Master of Engineering in Computer Science and Engineering at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY September 2017 c Massachusetts Institute of Technology 2017. All rights reserved. Author.............................................................. Department of Electrical Engineering and Computer Science August 18, 2017 Certified by. M. Frans Kaashoek Professor Thesis Supervisor Certified by. Robert T. Morris Professor Thesis Supervisor Accepted by . Christopher J. Terman Chairman, Master of Engineering Thesis Committee 2 Quboid: A Workstation for Safer Web Interaction by Amol M. Bhave Submitted to the Department of Electrical Engineering and Computer Science on August 18, 2017, in partial fulfillment of the requirements for the degree of Master of Engineering in Computer Science and Engineering Abstract As more of the world moves towards online technologies, users are exposed to the increasing threat of cyberattacks. Studies show that most of these attacks begin with a phishing attack. Phishing emails and websites may compromise user credentials or download unsolicited and malicious software. This thesis presents the design and implementation of Quboid, a workstation for safer web interaction. Quboid helps users better defend against phishing attacks by providing several security mechanisms. The design of Quboid is based on the principle of isolation and restricted communication. The system enforces isolation by using virtualization to restrict browser instances to show different websites in separate virtual machines. For example, Quboid isolates a user's bank website and social networking website in separate VMs. It uses deep-packet inspection to implement a HTTP/HTTPS proxy filter to ensure virtual machines only communicate with specific web servers. It also provides users with a secure interface and provides cues to help them recognize phishing attacks. Thesis Supervisor: M. Frans Kaashoek Title: Professor Thesis Supervisor: Robert T. Morris Title: Professor 3 4 Acknowledgments I would like to thank my advisors, Prof. Frans Kaashoek and Prof. Robert Morris for their invaluable guidance in finishing this project. Both of my advisors were always there to support me throughout the course of my research and this thesis would not have been possible without them. They allowed me to work on things that I was excited about and steered me in the right direction throughout. I would also like to thank my department for providing financial assistance during my research. The grants during my teaching and research assistantship helped me continue my studies and also provided valuable experience. I would also like to thank my friends who were always there when I needed them. They provided the much needed break and fun in stressful times and I am grateful to them for their support during my time at MIT. Finally, I would like to express my gratitude to my parents for their unconditional support throughout my years of study. Their visit to the US during my research boosted my morale and this accomplishment would have been impossible without them. 5 6 Contents 1 Introduction 13 1.1 Phishing Attacks . 13 1.2 Approach . 16 1.3 Contributions . 17 1.4 Outline of thesis . 19 2 Related Work 21 2.1 Qubes OS . 22 2.1.1 Isolation using Virtualization . 22 2.1.2 Firewall Policies . 23 2.1.3 User Interface . 23 2.1.4 Limitations . 24 2.2 Bromium . 26 2.2.1 Limitations . 28 2.3 Google Chrome Browser . 28 2.3.1 Limitations . 29 2.4 Spam Filters . 29 2.4.1 Limitations . 30 2.5 EROS Trusted Window System . 30 2.5.1 Limitations . 31 3 Goals 33 3.1 Blocking Malicious Content . 34 7 3.2 Unambiguous User Interface . 36 3.3 Damage Containment . 38 4 Design 41 4.1 Site Aggregate Isolation . 42 4.2 Cross Site-Aggregate Resources . 43 4.3 External Resource Referrer . 44 4.4 Exit Destinations . 45 4.5 HTTP Response Headers . 45 4.5.1 Site-Aggregate-Name ...................... 45 4.5.2 Site-Aggregate-Pattern .................... 46 4.5.3 Cross-Site-Aggregate-Resource-Pattern .......... 46 4.5.4 Exit-Pattern ........................... 47 4.6 DNSSEC and SSL/TLS Certificates . 48 4.7 User Interface . 49 5 Implementation 53 5.1 Overview . 53 5.2 Isolation using Qubes OS . 55 5.2.1 Other Approaches . 55 5.3 Proxy Filter VM . 57 5.3.1 Other Approaches . 58 5.4 Site Aggregate Isolation . 58 5.4.1 HTTP Request Headers . 58 5.4.2 Resource Integrity Checks . 59 5.4.3 Other Approaches . 59 5.5 Single Application Window Manager . 60 6 Analysis 63 6.1 Common Attack Scenarios . 63 6.1.1 Attacks via email . 63 8 6.1.2 Malvertisements . 67 6.1.3 Attacks using User Interface Ambiguity . 68 6.1.4 Other Attacks . 68 6.1.5 Attacks that Quboid does not defend against . 69 6.2 Quboid Defense Mechanisms . 69 6.3 Implementation Overhead . 70 6.3.1 Network Latency . 70 6.3.2 Virtualization Overhead . 71 6.3.3 User Experience . 72 7 Conclusion 75 7.1 Future Work . 76 9 10 List of Figures 1-1 This figure shows a phishing email disguised to appear to come from Paypal. The link shown in the email leads to a fake login page which allows the attacker to steal user credentials. 14 1-2 This figure shows a phishing email with an attachment that, when executed, installs a ransomware onto the user's computer. 15 2-1 This screenshot shows the user interface of Qubes OS. Each of the applications is running in a separate virtual machine. The user has labelled the virtual machines as [work], [work-web] and [untrusted], and have given appropriate border colors to visually differentiate the virtual machines. 25 2-2 This screenshot shows the prompt shown after the WannaCry ran- somware has finished encryption of the whole hard disk. The attack uses a bug in the OS to compromise the whole system. It then en- crypts the hard disk, sends the decryption keys to the attackers and then deletes those keys from the local system. The only way to re- cover the keys is by paying the attacker $300 via Bitcoin and hoping to re-obtain the decryption keys. 27 3-1 The email in this figure has an image which appears to be an attach- ment but in-fact is a link to an external page which displays a login page. 35 3-2 Clicking on the fake attachment leads to this fake login page. 35 11 3-3 Both domain names are similar except their use of the small letter \a". One uses a Unicode Cyrillic \a" whereas the other uses a Latin \a". 39 4-1 This figure shows a phishing page which is prompting the user to up- date their browser by clicking on the link. 50 4-2 This figure shows the same phishing page as before after the user clicks on the link. The links leads to the browser installing a malicious add-on disguised as a fake update. 52 5-1 Isolation among different site-aggregates in enforced by using a sepa- rate browser instance per site-aggregate. Traffic from different browser instances is routed through an intermediate proxy virtual machine. The proxy VM runs a HTTP/HTTPS filter to filter requests from the browsers to provide isolation and enforce policies presented in this paper. 54 5-2 A screenshot of the user interface of the secure workstation implemen- tation. The top bar is a reserved area for the site-aggregate name of the active browser instance and any system prompts. The rest of the screen is used exclusively by a single browser instance. 61 6-1 This phishing email appears to come from Microsoft but the domain is suspicious (onmicrosoft.com). The verify link contained in the email leads the user to a fake login page. 65 6-2 This phishing email appears to contain legitimate content but instead contains a ransomware in the attached ZIP file. 66 6-3 Average latency in different proxy configurations . 71 6-4 Plot of average VM opening time vs. the number of existing running VMs.................................... 72 12 Chapter 1 Introduction Recent years have seen a rise in cybersecurity attacks. From the 2016 Democratic National Committee (DNC) hack [1] to the WannaCry ransomware attack on the U.K. National Health Service [2], effects of these attacks can range from influencing elections to disrupting health care throughout the country. As more of the world moves towards online systems, the attackers are increasingly motivated to try newer and more sophisticated attacks. On the opposing end, there have been developments in the cybersecurity front as well. Most products release regular security updates to fix bugs in their software. However, very few focus on the heart of these attacks - phishing attacks. A recent report [3] published by PhishMe, a phishing defense solutions company, in 2016 found that \91% of cyberattacks and resulting data breach begin with a spear phishing email" [4]. 1.1 Phishing Attacks A phishing attack is a type of attack intended to trick the user into revealing sensitive information for malicious purposes. Such an attack is commonly executed through fake emails or websites. A successful phishing attack may steal user credentials or install malicious software on their system, eventually leaving the user open to other forms of attacks. 13 Figure 1-1: This figure shows a phishing email disguised to appear to come from Paypal. The link shown in the email leads to a fake login page which allows the attacker to steal user credentials.